#jinja2:lstrip_blocks: True
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IKEv2</key>
            <dict>
              <key>OnDemandEnabled</key>
              <integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer>
              <key>OnDemandRules</key>
              <array>
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
  {% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
    {% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
                  <dict>
                      <key>Action</key>
                      <string>Disconnect</string>
                      <key>InterfaceTypeMatch</key>
                      <string>WiFi</string>
                      <key>SSIDMatch</key>
                      <array>
    {% for network_name in WIFI_EXCLUDE_LIST %}
                          <string>{{ network_name|e }}</string>
    {% endfor %}
                      </array>
                  </dict>
  {% endif %}
                  <dict>
                    <key>Action</key>
  {% if algo_ondemand_wifi %}
                      <string>Connect</string>
  {% else %}
                      <string>Disconnect</string>
  {% endif %}
                    <key>InterfaceTypeMatch</key>
                      <string>WiFi</string>
                    <key>URLStringProbe</key>
                      <string>http://captive.apple.com/hotspot-detect.html</string>
                  </dict>
                  <dict>
                    <key>Action</key>
  {% if algo_ondemand_cellular %}
                      <string>Connect</string>
  {% else %}
                      <string>Disconnect</string>
  {% endif %}
                    <key>InterfaceTypeMatch</key>
                      <string>Cellular</string>
                    <key>URLStringProbe</key>
                      <string>http://captive.apple.com/hotspot-detect.html</string>
                  </dict>
{% endif %}
                  <dict>
                    <key>Action</key>
                      <string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string>
                  </dict>
                </array>
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>ChildSecurityAssociationParameters</key>
                <dict>
                    <key>DiffieHellmanGroup</key>
                    <integer>20</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-256-GCM</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-512</string>
                    <key>LifeTimeInMinutes</key>
                    <integer>1440</integer>
                </dict>
                <key>DeadPeerDetectionRate</key>
                <string>Medium</string>
                <key>DisableMOBIKE</key>
                <integer>0</integer>
                <key>DisableRedirect</key>
                <integer>1</integer>
                <key>EnableCertificateRevocationCheck</key>
                <integer>0</integer>
                <key>EnablePFS</key>
                <true/>
                <key>IKESecurityAssociationParameters</key>
                <dict>
                    <key>DiffieHellmanGroup</key>
                    <integer>20</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-256-GCM</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-512</string>
                    <key>LifeTimeInMinutes</key>
                    <integer>1440</integer>
                </dict>
                <key>LocalIdentifier</key>
                <string>{{ item.0 }}@{{ openssl_constraint_random_id }}</string>
                <key>PayloadCertificateUUID</key>
                <string>{{ pkcs12_PayloadCertificateUUID }}</string>
                <key>CertificateType</key>
                <string>ECDSA384</string>
                <key>ServerCertificateIssuerCommonName</key>
                <string>{{ IP_subject_alt_name }}</string>
                <key>RemoteAddress</key>
                <string>{{ IP_subject_alt_name }}</string>
                <key>RemoteIdentifier</key>
                <string>{{ IP_subject_alt_name }}</string>
                <key>UseConfigurationAttributeInternalIPSubnet</key>
                <integer>0</integer>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>1</integer>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures VPN settings</string>
            <key>PayloadDisplayName</key>
            <string>{{ algo_server_name }}</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.vpn.managed.{{ VPN_PayloadIdentifier }}</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>{{ VPN_PayloadIdentifier }}</string>
            <key>PayloadVersion</key>
            <real>1</real>
            <key>Proxies</key>
            <dict>
                <key>HTTPEnable</key>
                <integer>0</integer>
                <key>HTTPSEnable</key>
                <integer>0</integer>
            </dict>
            <key>UserDefinedName</key>
            <string>AlgoVPN {{ algo_server_name }} IKEv2</string>
            <key>VPNType</key>
            <string>IKEv2</string>
        </dict>
        <dict>
            <key>Password</key>
            <string>{{ p12_export_password }}</string>
            <key>PayloadCertificateFileName</key>
            <string>{{ item.0 }}.p12</string>
            <key>PayloadContent</key>
            <data>
            {{ item.1.stdout }}
            </data>
            <key>PayloadDescription</key>
            <string>Adds a PKCS#12-formatted certificate</string>
            <key>PayloadDisplayName</key>
            <string>{{ algo_server_name }}</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.pkcs12.{{ pkcs12_PayloadCertificateUUID }}</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs12</string>
            <key>PayloadUUID</key>
            <string>{{ pkcs12_PayloadCertificateUUID }}</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>ca.crt</string>
            <key>PayloadContent</key>
            <data>
            {{ PayloadContentCA }}
            </data>
            <key>PayloadDescription</key>
            <string>Adds a CA root certificate</string>
            <key>PayloadDisplayName</key>
            <string>{{ algo_server_name }}</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.root.{{ CA_PayloadIdentifier }}</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>{{ CA_PayloadIdentifier }}</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>AlgoVPN {{ algo_server_name }} IKEv2</string>
    <key>PayloadIdentifier</key>
    <string>donut.local.{{ 500000 | random | to_uuid | upper }}</string>
    <key>PayloadOrganization</key>
	<string>AlgoVPN</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>{{ 400000 | random | to_uuid | upper }}</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
